I updated our site yesterday and just noticed a non-staff user applying our ‘featured’ tag to his post. This should not be possible as it’s defined as a staff-only tag. When I impersonated him, sure enough, I could access the restricted tags when posting. I tried to reproduce it here on meta, but I think tags are not available for regular users?
I’ve tried to reproduce the issue on my local development site, but so far am not having any luck with it. Do you know if the issue is happening in all categories on your site, or is it just in a particular category that non-staff users are able to add staff tags? Any hints about how to reproduce the issue would be helpful.
3 Likes
Ok, I’ll give in deeper to see what’s going on here and will get back to you. It may take a little time though.
Ok I tested with a TL-0 and TL-1 user in safe mode and I can access the staff tag for every category on our forum. The same is true for the other tags on our staff-only list. I also reset the staff-only tag group permissions to ‘tags can be used by everyone’ and then back to ‘only the following groups can use them’, but that did not make a difference. Is there anything else I could test?
Do you have any other tag groups defined, or is the screenshot above the only group on your site? Are the users that you tested this with members of any other groups?
It is possible to create multiple tag groups with contradictory rules. If a user has permission to use a tag in any tag group, that will cancel out the rules from any other group saying they can’t use it.
These are all the groups that I use; the test I ran was with a basic user who is not a member of anything.
Common tags: available for everyone
Events: can only be used in the Events category:
2 Likes
When you say ‘access’, do you mean you can add them to topics, or that you can view them and click on them, etc?
The tags in your ‘Staff Tags’ tag group (ba-tips, cant-reproduce, featured, etc) can only be added to topics by users belonging to the staff group, but are visible to everyone. This means anyone can see those tags at the top of topics, click on the tag to see other topics tagged with that tag, etc.
If a TL0 user is able to add a ‘Staff Tags’ tag (eg, ‘ba-tips’) to a topic, that is an issue. I have recreated the tags/tag groups as per your screenshots on my local Disocurse instance (limiting the tags in each tag group to the first three in each of the screenshots above), and my TL0/TL1 users are unable to add ‘ba-tips’ to a topic via the ‘New Topic’ button, or by creating a topic and then editing it. Are you able to add the tags via a different method/UI path?
2 Likes
Thanks for your reply Jamie, sorry that I wasn’t specific enough. I just upgraded to latest and ran the test again, with the same result. Steps to reproduce are:
- Log in as a TL0 or TL1 user
- Change to safe mode and disable everything
- Select any category
- Create a new topic
- Select the Featured tag, which is staff-only.
- Click ‘create topic’
- The post is created and the feature tag is added
1 Like
I just saw something else that might be related: I can no longer access tag.json routes, like this one:
Update: whoops never mind, it seems like /tags/ got renamed to /tag/ which broke some of our automations.
Unfortunately, I’m still struggling to create a test case for this issue. Here are the steps I’ve taken:
- Created new site at commit: 6490fac881
- Created admin user: jamie.wilson
- Enabled SiteSetting: tagging enabled
- Created the following tags:
360-renders
add-ons
advertisement
conference
contest
meetup
no-ads
promotion-offered
ba-tips
cant-reproduce
featured - Created the tag groups, as per supplied screen shots (with no more than 3 tags per group for the purposes of debugging)
- Create ‘Events’ category, with a value of ‘Events’ for ‘Restrict these tag groups to this category’
- Admin user created topic in ‘Site Feedback’ category with ‘ba-tips’ tag from staff group.
- Log out admin user
- Create new user (activated via email link): normal.user
- As normal.user, create new topic in Uncategorized or Site Feedback. Available tags: 360-renders, add-ons, advertisement
- Create new topic in Events. Available tags: conference, contest, meetup
(not shown)
- Admin user can add restricted tags to normal.user post:
- Admin user can see all three tags:
- normal.user can only see two tags:
DiscourseTagging.permitted_tag_names(Guardian.new(User.find_by_username('normal.user')))
["360-renders", "add-ons", "advertisement", "conference", "contest", "meetup"]
DiscourseTagging.hidden_tag_names(Guardian.new(User.find_by_username('normal.user')))
["no-ads", "promotion-offered"]
Perhaps someone else is able to reproduce the issue? I’m unable to at this point.
6 Likes
I believe I found the issue: #featured was present in both the staff-only list and our ‘common tags’ list. I’m not sure how it ended up there, I’ll have to check our staff permissions and see if they created it somehow. Sorry for wasting your time, but I do appreciate your support a lot! 
5 Likes
Not a problem! I’m glad the root cause was found and we can all feel a little more confident that the new feature is working as intended.
I hope it proves useful for you and your site now the config issues have been rectified. Let us know how it works out for you.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.